How to Mitigate Data Monetization Risks

Collect all the data. Store all the data. Once you've got a massive reservoir of data, you'll be able to answer all the questions the business wants to ask, right? Maybe you can even anonymize the data, package it and sell it, driving revenue to the bottom line.

Not so fast. Monetizing that data may well be the right decision for your company, but it's important to recognize that your data may represent a massive liability from a legal and security perspective, says Jennifer L. Rathburn, partner with law firm Quarles & Brady and a specialist in data management, data breach and privacy and cybersecurity issues.

"Anyone who does cybersecurity and data breach work would say never to retain more than the minimum amount that you need because of the risk of a data breach," she says. "It's really a balancing act. Don't just collect all the data you think you want. You have to have a good business justification for collecting it because it can be a liability."

The Value of That Data

It's clear that data initiatives offer myriad opportunities both internally (streamlining processes, customer insight, enabling new products, etc.) and externally (selling data to third parties). As an example of the latter, Rathburn points to Carolinas HealthCare System, which buys patient data (like credit card purchases) as a data source that it uses as part of an initiative to predict and prevent illness.

Such uses have the potential to transform your business, but they also may expose your organization to considerable risk. In a paper published last month, Rathburn and Associate Simone Colgan Dunlap note that regulatory issues may just be the tip of the iceberg.

"One of the biggest risks associated with use of big data stems from regulatory issues," they write. "The regulation of data is complex and is shifting rapidly. Accordingly, a critical part of creating a successful data monetization strategy involves understanding regulatory constraints related to data acquisition, use and disclosure."

The U.S., for instance, has a confusing array of federal and state laws that address privacy, mostly by industry. Violation of these laws can result in big fines, criminal penalties or lawsuits.

Rathburn and Colgan also note that the U.S. Federal Trade Commission (FTC) has broadly interpreted its authority under Section 5 of the FTC Act, which empowers it to pursue enforcement actions against entities for "deceptive" or "unfair" practices. These enforcement actions can result in consent decrees that require periodic audits for up to 20 years, with fines for those that find themselves in violation.

"Chances are, if your organization is operating within a regulated industry, you are aware of applicable data privacy requirements," Rathburn and Colgan write. "But, mitigating risk requires organizations to go beyond awareness to developing what the FTC has dubbed 'privacy by design,' or building and periodically re-evaluating workable privacy protections into policies, procedures and products."

Who Owns the Data?

There are also contractual sources of risk to consider. Just because you have access to certain data, that doesn't mean that you own the data or can use it in particular ways.

"Everyone thinks the data they have is their own," Rathburn says. "Do you really own that data? Are you getting it from a company you contract with? Are there restrictions on how you can use that data? Do you have the legal authority to do what you want to do with it?"

Rathburn and Colgan note that restrictions on data use may be buried in ownership or confidentiality provisions, meaning your organization needs to conduct a careful review of existing contracts to determine the parameters of relevant restrictions and how they affect the intended uses of your data initiative. And going forward, your organization should determine how it wants to use data, how it needs to use data and then make sure all future contracts are negotiated with those wants and needs in mind.

"It's really important that your legal documents, your contracts, your privacy policies and terms of use be aligned with your big data strategy," Rathburn says. "It's really about what you're representing to individuals and how you're contracting with other entities."

That anticipates another potential source of risk: your relationship with consumers. It's not enough to simply meet the legal requirements associated with your use of data, Rathburn says. Those requirements form a baseline, but you must balance the potential economic upside to your use of data against reputational harm.

"Keep in mind that angry consumers can do more than sheath their credit cards and tweet scathing reviews," Rathburn and Colgan warn. "U.S. common law has handed consumers a serious weapon in the form of privacy torts -- i.e., no caps on damages, potential for class-actions, torts with a capital 'T'."

"If you can't lock down your big data and segregate it off, you really need to make sure you're only keeping the minimum necessary amount of information," Rathburn adds.

Big Data Questions to Ask

Here are some questions Rathburn suggests you answer with relevant stakeholders at the outset of a new data initiative:

Copyright 2017 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.